From 11608f8ba47e8380b23360d545276aa1a092d55b Mon Sep 17 00:00:00 2001 From: Arran Cudbard-Bell Date: Thu, 4 Sep 2025 13:00:42 +0200 Subject: [PATCH] Add ordering match on attributes, to allow server side sort on profiles to return attributes in a consistent order --- doc/schemas/ldap/openldap/freeradius-dhcpv4.ldif | 2 +- doc/schemas/ldap/openldap/freeradius-dhcpv4.schema | 1 + doc/schemas/ldap/openldap/freeradius-dhcpv6.ldif | 2 +- doc/schemas/ldap/openldap/freeradius-dhcpv6.schema | 1 + doc/schemas/ldap/openldap/freeradius-radius.ldif | 10 +++++----- doc/schemas/ldap/openldap/freeradius-radius.schema | 4 ++++ doc/schemas/ldap/openldap/freeradius-tacacs.ldif | 4 ++-- 7 files changed, 15 insertions(+), 9 deletions(-) diff --git a/doc/schemas/ldap/openldap/freeradius-dhcpv4.ldif b/doc/schemas/ldap/openldap/freeradius-dhcpv4.ldif index fb63f38bf6..076fc4ba8f 100644 --- a/doc/schemas/ldap/openldap/freeradius-dhcpv4.ldif +++ b/doc/schemas/ldap/openldap/freeradius-dhcpv4.ldif @@ -1,7 +1,7 @@ dn: cn=freeradius-dhcpv4,cn=schema,cn=config objectClass: olcSchemaConfig cn: freeradius-dhcpv4 -olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.3.2.1.1 NAME 'dhcpv4Attribute' DESC 'DHCP attribute in format [.] ' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.3.2.1.1 NAME 'dhcpv4Attribute' DESC 'DHCP attribute in format [.] ' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.3.1.1.1 NAME 'dhcpv4GatewayIdentifier' DESC 'Gateway Identifier, usually Option 82 Remote ID' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.3.1.1.2 NAME 'dhcpv4GatewayAddr' DESC 'Gateway IP address, usually GIADDR' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.3.1.1.3 NAME 'dhcpv4PoolName' DESC 'DHCP ip pool name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) diff --git a/doc/schemas/ldap/openldap/freeradius-dhcpv4.schema b/doc/schemas/ldap/openldap/freeradius-dhcpv4.schema index 8113baf4b8..ea6b4a3a1f 100644 --- a/doc/schemas/ldap/openldap/freeradius-dhcpv4.schema +++ b/doc/schemas/ldap/openldap/freeradius-dhcpv4.schema @@ -13,6 +13,7 @@ attributetype ( 1.3.6.1.4.1.11344.4.3.2.1.1 NAME 'dhcpv4Attribute' DESC 'DHCP attribute in format [.] ' EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) diff --git a/doc/schemas/ldap/openldap/freeradius-dhcpv6.ldif b/doc/schemas/ldap/openldap/freeradius-dhcpv6.ldif index 1fe31405f9..284c71feea 100644 --- a/doc/schemas/ldap/openldap/freeradius-dhcpv6.ldif +++ b/doc/schemas/ldap/openldap/freeradius-dhcpv6.ldif @@ -1,7 +1,7 @@ dn: cn=freeradius-dhcpv6,cn=schema,cn=config objectClass: olcSchemaConfig cn: freeradius-dhcpv6 -olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.4.2.1.1 NAME 'dhcpv6Attribute' DESC 'DHCPv6 attribute in format [.] ' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.4.2.1.1 NAME 'dhcpv6Attribute' DESC 'DHCPv6 attribute in format [.] ' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.4.1.1.1 NAME 'dhcpv6GatewayIdentifier' DESC 'Gateway Identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.4.1.1.2 NAME 'dhcpv6GatewayAddr' DESC 'Gateway IP address' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.4.1.1.3 NAME 'dhcpv6PoolNameNA' DESC 'DHCPv6 IP NA pool name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) diff --git a/doc/schemas/ldap/openldap/freeradius-dhcpv6.schema b/doc/schemas/ldap/openldap/freeradius-dhcpv6.schema index 83bec7231e..43452b2367 100644 --- a/doc/schemas/ldap/openldap/freeradius-dhcpv6.schema +++ b/doc/schemas/ldap/openldap/freeradius-dhcpv6.schema @@ -13,6 +13,7 @@ attributetype ( 1.3.6.1.4.1.11344.4.4.2.1.1 NAME 'dhcpv6Attribute' DESC 'DHCPv6 attribute in format [.] ' EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) diff --git a/doc/schemas/ldap/openldap/freeradius-radius.ldif b/doc/schemas/ldap/openldap/freeradius-radius.ldif index 9b75e2b60a..57bde91cfe 100644 --- a/doc/schemas/ldap/openldap/freeradius-radius.ldif +++ b/doc/schemas/ldap/openldap/freeradius-radius.ldif @@ -59,7 +59,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.55 NAME 'radiusUserCategory' EQUA olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.56 NAME 'radiusStripUserName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.57 NAME 'dialupAccess' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.58 NAME 'radiusExpiration' DESC 'controlItem: Expiration' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) -olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.59 NAME 'radiusAttribute' DESC 'controlItem: $GENERIC$' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.59 NAME 'radiusAttribute' DESC 'controlItem: $GENERIC$' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.61 NAME 'radiusNASIpAddress' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.62 NAME 'radiusReplyMessage' DESC 'replyItem: Reply-Message' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.97 NAME 'radiusFramedIPv6Prefix' DESC 'replyItem: Framed-IPv6-Prefix' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) @@ -68,10 +68,10 @@ olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.169 NAME 'radiusDNSServerIPv6Addr olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.170 NAME 'radiusRouteIPv6Information' DESC 'replyItem: Route-IPv6-Information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.171 NAME 'radiusDelegatedIPv6PrefixPool' DESC 'replyItem: Delegated-IPv6-Prefix-Pool' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.172 NAME 'radiusStatefulIPv6AddressPool' DESC 'replyItem: Stateful-IPv6-Address-Pool' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.256 NAME 'radiusControlAttribute' DESC 'controlItem: $GENERIC$' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.257 NAME 'radiusReplyAttribute' DESC 'replyItem: $GENERIC$' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.258 NAME 'radiusRequestAttribute' DESC 'requestItem: $GENERIC$' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.259 NAME 'radiusProfilePriority' DESC 'Priority to apply profiles' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 EQUALITY integerMatch ORDERING integerOrderingMatch SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.256 NAME 'radiusControlAttribute' DESC 'controlItem: $GENERIC$' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.257 NAME 'radiusReplyAttribute' DESC 'replyItem: $GENERIC$' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.258 NAME 'radiusRequestAttribute' DESC 'requestItem: $GENERIC$' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.259 NAME 'radiusProfilePriority' DESC 'Priority to apply profiles' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.260 NAME 'radiusProfileCondition' DESC 'Condition to apply profiles' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.261 NAME 'radiusProfileFallthrough' DESC 'Condition to apply additional profiles after this one' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.1.1.1 NAME 'radiusClientSecret' DESC 'Client Secret' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) diff --git a/doc/schemas/ldap/openldap/freeradius-radius.schema b/doc/schemas/ldap/openldap/freeradius-radius.schema index f8fdecf079..73d07dabf7 100644 --- a/doc/schemas/ldap/openldap/freeradius-radius.schema +++ b/doc/schemas/ldap/openldap/freeradius-radius.schema @@ -446,6 +446,7 @@ attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.59 NAME 'radiusAttribute' DESC 'controlItem: $GENERIC$' EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) @@ -516,6 +517,7 @@ attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.256 NAME 'radiusControlAttribute' DESC 'controlItem: $GENERIC$' EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) @@ -524,6 +526,7 @@ attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.257 NAME 'radiusReplyAttribute' DESC 'replyItem: $GENERIC$' EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) @@ -532,6 +535,7 @@ attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.258 NAME 'radiusRequestAttribute' DESC 'requestItem: $GENERIC$' EQUALITY caseIgnoreMatch + ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) diff --git a/doc/schemas/ldap/openldap/freeradius-tacacs.ldif b/doc/schemas/ldap/openldap/freeradius-tacacs.ldif index 8d4a4d6f3b..8f78b41d7d 100644 --- a/doc/schemas/ldap/openldap/freeradius-tacacs.ldif +++ b/doc/schemas/ldap/openldap/freeradius-tacacs.ldif @@ -3,12 +3,12 @@ objectClass: olcSchemaConfig cn: freeradius-tacacs olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.2.1.1 NAME 'tacacsAttribute' DESC 'TACACS+ attribute in format [.] ' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.2.1.2 NAME 'tacacsService' DESC 'The identifier for the TACACS+ service e.g. exec, shell, ppp, etc...' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.2.1.3 NAME 'tacacsProfilePriority' DESC 'Priority to apply profiles' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 EQUALITY integerMatch ORDERING integerOrderingMatch SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.2.1.3 NAME 'tacacsProfilePriority' DESC 'Priority to apply profiles' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.2.1.4 NAME 'tacacsProfileCondition' DESC 'Condition to apply profiles' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.2.1.5 NAME 'tacacsProfileFallthrough' DESC 'Condition to apply additional profiles after this one' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.3.1.1 NAME 'tacacsCommand' DESC 'The identifier for the TACACS+ command e.g. show, enable, etc...' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.1.1.1 NAME 'tacacsClientSecret' DESC 'Client Secret' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.1.1.2 NAME 'tacacsClientSingleConnectionMode' DESC 'Set whether we allow and request single connection mode for this client' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) -olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.3.1.1 NAME 'tacacsCommand' DESC 'The identifier for the TACACS+ command e.g. show, enable, etc...' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcObjectClasses: ( 1.3.6.1.4.1.11344.4.5.2.2.2 NAME 'tacacsServiceProfile' SUP top AUXILIARY MUST tacacsService MAY ( tacacsAttribute $ tacacsProfilePriority $ tacacsProfileCondition $ tacacsProfileFallthrough ) ) olcObjectClasses: ( 1.3.6.1.4.1.11344.4.5.3.2.2 NAME 'tacacsCommandProfile' SUP top AUXILIARY MUST tacacsCommand MAY ( tacacsAttribute $ tacacsProfilePriority $ tacacsProfileCondition $ tacacsProfileFallthrough ) ) olcObjectClasses: ( 1.3.6.1.4.1.11344.4.5.1.2.1 NAME 'tacacsClient' SUP top AUXILIARY MUST tacacsClientSecret MAY tacacsClientSingleConnectionMode ) -- 2.47.3